I've got SuSE 8.1 and use SuSE's SuSEfirewall2 tool. I also use the box for file sharing with Samba. In the firewall log the following message repeats over and over:

kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth1 OUT= MAC= SRC=192.168.0.1 DST=192.168.0.255 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=25063 DF PROTO=UDP SPT=138 DPT=138 LEN=220
kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth1 OUT= MAC= SRC=192.168.0.1 DST=192.168.0.255 LEN=236 TOS=0x00 PREC=0x00 TTL=64 ID=25064 DF PROTO=UDP SPT=138 DPT=138 LEN=216

192.168.0.1 is the internal IP address for my box. Over 1/2 the log is the above 2 entries over and over. How can I get rid of these entries? Thanks for any replies for help.

Port 138 is NetBios Datagram service.

Looks like 192.168.0.1 is trying to croadcast a message to your entire subnet.

Since sending a message to your entire LAN at one time should be considered SPAM, your firewall is doing well.

Is 192.168.0.1 you linux box??? Either way, check your 192.168.0.1 machine for any service/worm/virus that might be trying to broadcast a message on 138.

HTH

192.168.0.1 is the Linux box running the firewall and Samba.

I am fairly certain these two firewall log entries are caused by Samba. I think Samba uses these broadcasts to find all boxes on the subnet in order to produce and distribute an accurate browse list. The entries occur exactly 12 minutes apart.

I think what I really need is a custom firewall rule in SuSEfirewall2 that will prevent these entries in the log. SuSE has a nice built in frontend for iptables that provides a simple configuration GUI tool plus a well commented config file at /etc/sysconfig/SuSEfirewall2 and finally the ability to set up custom rules in the file /etc/sysconfig/SuSEfirewall2-custom.

I read the docs for the SuSEfirewall2 and iptables but I'm not sure how to set up the proper rule. I guess I was hoping someone else was using SuSEfirewall2 and Samba and had already done this (and could share how). If not, I will eventully figure it out and do a followup post.

I finally found the answer at this location:
'http://cert.uni-stuttgart.de/archive/suse/security/2003/07/msg00143.html.
http://cert.uni-stuttgart.de/archive/suse/security/2003/07/msg00143.html.

In file /etc/sysconfig/SuSEfirewall2 include:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

In file /etc/sysconfig/scripts/SuSEfirewall2-custom
includes the following:
iptables -A INPUT -j DROP -p udp -s 192.168.0.1 -d 192.168.0.255 --sport 138 --dport 138

This is needed to prevent the following /var/log/messages entries every 12 minutes due to Samba broadcast activity to from 192.168.0.1 to 192.168.0.255 i.e. from localhost to localhost (and rest of 192.168.0) - Spoofing.

kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth1 OUT= MAC= SRC=192.168.0.1 DST=192.168.0.255 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=629 DF PROTO=UDP SPT=138 DPT=138 LEN=220
kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth1 OUT= MAC= SRC=192.168.0.1 DST=192.168.0.255 LEN=236 TOS=0x00 PREC=0x00 TTL=64 ID=630 DF PROTO=UDP SPT=138 DPT=138 LEN=216

Hope this helps someone else using SuSEfirewall2 and Samba.